fix: use credentialManager.GetPolicy for AttachGroupPolicy validation

Policies created via CreatePolicy through credentialManager are stored in the credential store, not in s3cfg.Policies (which only has static config policies). Change AttachGroupPolicy to use credentialManager.GetPolicy() for policy existence validation.
1 day ago · 66661de746
1 changed files with 7 additions and 11 deletions
--- a/weed/s3api/s3api_embedded_iam.go
+++ b/weed/s3api/s3api_embedded_iam.go
@ -1583,7 +1583,7 @@ func (e *EmbeddedIamApi) RemoveUserFromGroup(s3cfg *iam_pb.S3ApiConfiguration, v
 	return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("group %s does not exist", groupName)}
 }
 func (e *EmbeddedIamApi) AttachGroupPolicy(s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamAttachGroupPolicyResponse, *iamError) {
 func (e *EmbeddedIamApi) AttachGroupPolicy(ctx context.Context, s3cfg *iam_pb.S3ApiConfiguration, values url.Values) (*iamAttachGroupPolicyResponse, *iamError) {
 	resp := &iamAttachGroupPolicyResponse{}
 	groupName := values.Get("GroupName")
 	policyArn := values.Get("PolicyArn")
@ -1594,17 +1594,13 @@ func (e *EmbeddedIamApi) AttachGroupPolicy(s3cfg *iam_pb.S3ApiConfiguration, val
 	if err != nil {
 		return resp, &iamError{Code: iam.ErrCodeInvalidInputException, Error: err}
 	}
 	// Verify policy exists
 	policyFound := false
 	for _, p := range s3cfg.Policies {
 		if p.Name == policyName {
 			policyFound = true
 			break
 	// Verify policy exists via credential manager
 	if e.credentialManager != nil {
 		policy, pErr := e.credentialManager.GetPolicy(ctx, policyName)
 		if pErr != nil || policy == nil {
 			return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
 		}
 	}
 	if !policyFound {
 		return resp, &iamError{Code: iam.ErrCodeNoSuchEntityException, Error: fmt.Errorf("policy %s not found", policyName)}
 	}
 	for _, g := range s3cfg.Groups {
 		if g.Name == groupName {
 			// Check if already attached (idempotent)
@ -2073,7 +2069,7 @@ func (e *EmbeddedIamApi) ExecuteAction(ctx context.Context, values url.Values, s
 		}
 	case "AttachGroupPolicy":
 		var iamErr *iamError
 		response, iamErr = e.AttachGroupPolicy(s3cfg, values)
 		response, iamErr = e.AttachGroupPolicy(ctx, s3cfg, values)
 		if iamErr != nil {
 			return nil, iamErr
 		}